Review Process/Policy

[Sancus]

We should have a documented step by step review policy for adding XML files to the database, likely via Pull Request.

There is some helpful information in the official docs, but not a real review guide or policy on what's supposed to be allowed and not.

This would likely work in combination with #4 to make submission easier.

[benbucksch]

Here's a start:

• Verify that the server hostnames, e.g. imap.example.com, match the email domain, e.g. [email protected]. If they do not, see next point.
• For all domains involved - server hostnames, all <domain> tags, OAuth2 authentication URLs, etc. -, use WHOIS and DNS MX (both) to verify that the server domain is owned by the same entity as the email domain.
• Make sure that all configurations have SSL or STARTTLS.
• Search for the documentation of the ISP, e.g. google for "example.com IMAP SMTP settings", and confirm that the configuation that was supplied matches. If there are discrepancies, ask.
• Check and verify that the config adheres to the official specification, in all details.
• Let the contributor confirm that he has tested this configuration. Make sure he has actually tested it, including sending of emails.
• Show the contributor how to test the config file locally using the "harddisk" mechanism, and let him confirm that he has tested this actual XML file and that Thunderbird indeed said that the config came from the local disk and not the ISPDB. Ideally, he should make a screenshot of the account setup config result dialog, and that he can read and send email with that config.

See also #4 (comment)

Docs:

• https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration
• https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat

[benbucksch]

Make sure that all configurations have SSL or STARTTLS.

If both are available, capture both, but make SSL (implicit TLS) the first and default option. It's both faster and more secure.

https://nostarttls.secvuln.info/

(Thanks to @cketti for the link.)